Call yourself a 'hacker', watch your ex-boss seize your PC without warning
Court rules coder's computer can be suddenly snatched in 'software knockoff' spat
A US district court has ruled that self-confessed "hackers" have all the skills needed to swiftly destroy evidence, allowing anyone suing them to seize their equipment without warning.
The court in Idaho decided that a software developer’s computer could be confiscated without prior notice primarily because his website stated: “We like hacking things and don’t want to stop.”
Thuen, while working for Battelle, helped develop an application today known as Sophia, which fires off alerts if it detects industrial control equipment coming under electronic attack. Battelle – which was tasked with beefing up the computer security of US electricity plants, energy sources and other critical sites – wanted to license this technology, but Thuen hoped to open source the code, according to the plaintiffs.
Sophia, which had been in development since 2009, underwent testing in 2012 and attracted the attention of power companies.
Thuen left Battelle before setting up Southfork Security. According to Battelle, Southfork Security competed against other firms to license Sophia from Battelle before withdrawing in April 2013, a month before an outfit called NexDefense was awarded the right to negotiate an exclusive commercial licence.
Around the same time, in May 2013, Southfork Security began marketing a “situational awareness” program called Visdom that Battelle alleges is a knockoff of Sophia.
Battelle Energy Alliance sued Thuen, claiming that Visdom was based on stolen code, and accused Southfork and Thuen of copyright infringement, trade secret misappropriation and breach of contract, among other allegations, according to legal filings seen by The Register.
What elevates the case from a run-of-the-mill intellectual property dispute is that Battelle persuaded the court to allow it to seize Thuen's computer to copy its files. The district court ruled that the programmer has the skills, as a "hacker", to release the contested code publicly, cover his tracks, and destroy any evidence if he knew a seizure was imminent:
The court has struggled over the issue of allowing the copying of the hard drive. This is a serious invasion of privacy and is certainly not a standard remedy... The tipping point for the court comes from evidence that the defendants – in their own words – are hackers. By labeling themselves this way, they have essentially announced that they have the necessary computer skills and intent to simultaneously release the code publicly and conceal their role in that act. And concealment likely involves the destruction of evidence on the hard drive of Thuen’s computer. For these reasons, the court finds this is one of the very rare cases that justifies seizure and copying of the hard drive.
The plaintiff also obtained a temporary restraining order against Thuen and Southfork Security without prior notice primarily because, again, the Southfork website declared “we like hacking things and we don’t want to stop".
This statement was used to prop up the claimants' argument that Thuen and Southfork "have the technical ability to wipe out a hard drive [and] will do precisely that when faced with allegations of wrongdoing". That would seem to fall short of the usual legal test for granting a restraining order, that the defendants have “a history of disposing of evidence or violating court orders”, but the district court granted the restraining order nonetheless.
The order prevents Thuen and his company from releasing any of the contested source code.
Battelle’s lawyers also raised national security concerns by arguing that releasing the Sophia utility as open-source code would hand strategic and vital information to wannabe power-plant hackers. Thuen and Southfork were not given the opportunity to appear before the court and contest this argument before the seizures were carried out and the restraining order on the business imposed.
A good overview of the whole contentious case so far can be found in a blog post by control system security consultancy Digital Bond. ®
Updated to add
There is a debate over whether the court's ruling ran roughshod over a person's rights against unreasonable seizures as enshrined in the US Constitution's Fourth Amendment: some have argued that such protections do not extend to discovery requests in private civil cases.
Sponsored: 2016 Cyberthreat defense report